Network address translation
by James Denton
Learning OpenStack Networking (Neutron) - Second Edition
- Learning OpenStack Networking (Neutron) Second Edition
- Table of Contents
- Learning OpenStack Networking (Neutron) Second Edition
- Credits
- About the Author
- About the Reviewers
- www.PacktPub.com
- Preface
- 1. Preparing the Network for OpenStack
- 2. Installing OpenStack
- System requirements
- Initial network configuration
- Initial steps
- Installing OpenStack
- Summary
- 3. Installing Neutron
- 4. Building a Virtual Switching Infrastructure
- Virtual network devices
- Network types supported by Neutron
- Choosing a plugin and driver
- Visualizing traffic flow when using LinuxBridge
- Visualizing the traffic flow when using Open vSwitch
- Configuring the ML2 networking plugin
- Configuring the LinuxBridge driver and agent
- Configuring the Open vSwitch driver and agent
- Summary
- 5. Creating Networks with Neutron
- Network management
- Neutron ports
- Attaching instances to networks
- Exploring how instances get their addresses
- Exploring how instances retrieve their metadata
- Summary
- 6. Managing Security Groups
- Security groups in OpenStack
- An introduction to iptables
- Working with security groups
- Managing security groups in the CLI
- Creating security groups in the CLI
- Deleting security groups in the CLI
- Listing security groups in the CLI
- Showing the details of a security group in the CLI
- Updating security groups in the CLI
- Creating security group rules in the CLI
- Deleting security group rules in the CLI
- Listing security group rules in the CLI
- Showing the details of a security group rule in the CLI
- Applying security groups to instances and ports in the CLI
- Removing security groups from instances and ports in the CLI
- Managing security groups in the CLI
- Implementing security group rules
- Working with security groups in the dashboard
- Disabling port security
- Summary
- 7. Creating Standalone Routers with Neutron
- Routing traffic in a cloud
- Installing and configuring the Neutron L3 agent
- Router management in the CLI
- Creating routers in the CLI
- Working with router interfaces in the CLI
- Listing the interfaces attached to routers
- Deleting internal interfaces
- Clearing the gateway interface
- Listing routers in the CLI
- Displaying router attributes in the CLI
- Updating router attributes in the CLI
- Deleting routers in the CLI
- Network address translation
- Floating IP management
- Demonstrating traffic flow from an instance to the Internet
- Setting the foundation
- Creating an external provider network
- Creating a Neutron router
- Attaching the router to the external network
- Testing gateway connectivity
- Creating an internal network
- Attaching the router to the internal network
- Creating instances
- Verifying instance connectivity
- Observing default NAT behavior
- Assigning floating IPs
- Reassigning floating IPs
- Router management in the dashboard
- Summary
- 8. Router Redundancy Using VRRP
- 9. Distributed Virtual Routers
- Distributing routers across the cloud
- Installing and configuring Neutron components
- Routing east-west traffic between instances
- Centralized SNAT
- Floating IPs through distributed virtual routers
- Summary
- 10. Load Balancing Traffic to Instances
- Fundamentals of load balancing
- Integrating load balancers into the network
- Installing LBaaS
- Load balancer management in the CLI
- Building a load balancer
- Load balancer management in the dashboard
- Summary
- 11. Firewall as a Service
- Enabling FWaaS
- Firewall Management in the CLI
- Managing firewall rules
- Managing firewall policies
- Creating a firewall policy in the CLI
- Deleting a firewall policy in the CLI
- Listing firewall policies in the CLI
- Showing the details of a firewall policy in the CLI
- Updating a firewall policy in the CLI
- Inserting rules into firewall policies in the CLI
- Removing rules from firewall policies in the CLI
- Managing firewalls
- Creating a firewall rule
- Creating a firewall policy
- Creating a firewall
- Demonstrating traffic flow through a firewall
- Summary
- 12. Virtual Private Network as a Service
- A. Additional Neutron Commands
- B. Virtualizing the Environment
- Index
Network address translation, or NAT, is a networking concept that was developed in the early 1990s in response to the rapid depletion of IP addresses throughout the world. Prior to NAT, every host connected to the Internet had a unique IP address.
Legacy routers support two types of NAT:
- One-to-one NAT
- Many-to-one NAT
One-to-one NAT is a method in which one IP address is directly mapped to another. Commonly referred to as static NAT, one-to-one NAT is often used to map a unique public address to a privately addressed host. Floating IPs utilize one-to-one NAT concepts.
Many-to-one NAT is a method in which multiple addresses are mapped to a single address. Many-to-one NAT employs the use of port address translation, or PAT. Neutron uses PAT to provide external access to instances behind the router when floating IPs are not assigned.
For more information on network address translation, please visit Wikipedia at http://en.wikipedia.org/wiki/Network_address_translation.
Tenant networks, when attached to a Neutron router, often utilize the router as their default gateway. By default, when a router receives traffic from an instance and routes it upstream, the router performs a port address translation and modifies the source address of the packet to appear as its own external interface address. When the translation occurs, the ephemeral source port is mapped to the original client address in a table that is referred to when the response packet is received. This ensures that the packet can be routed upstream and returned to the router, where the packet is modified and returned to the instance that initiated the connection. Neutron refers to this type of behavior as source NAT.
When users require direct inbound access to instances, a floating IP address can be utilized. A floating IP address in OpenStack is a one-to-one static NAT that maps an external address from an external network to an internal address from a tenant network. This method of NAT allows instances to be accessible from remote networks, such as the Internet. Floating IP addresses are configured on the external interface of the router, which serves as a gateway for the instance and is then responsible for modifying both the source and destination address of packets, depending on their direction.
-
No Comment